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Abstract 


The  phenomenal  growth  of  the  Internet  and  the  accompanying  explosion  in  online 
services  presents  the  world  with  a  unique  predicament,  where  the  medium  that  affords  citizens  a 
means  for  peaceful  communications  also  offers  malefactors  an  inroad  for  theft  and  destruction. 
The  past  five  years  mark  a  significant  rise  in  the  frequency  and  severity  of  online  nefarious 
action  from  a  wide  range  of  actors,  and  presents  a  great  risk  to  the  security  of  the  United  States. 
U.S  Cyber  Command  is  assigned  the  task  of  developing  and  coordinating  the  online  cyber 
mission  of  the  Department  of  Defense,  and  since  2010  is  moving  aggressively  to  develop  a 
workforce  capable  of  fighting  and  winning  in  cyberspace.  Although  Cyber  Command  is  making 
great  strides  toward  this  goal,  there  remains  strong  risk  that  nefarious  actors  presenting  an 
advanced  persistent  threat  will  outclass  the  U.S.  military  workforce  in  the  most  intricate 
maneuvers  of  cyberspace.  Further,  the  status  quo  military  staffing,  training,  and  assignment 
models  preclude  its  personnel  from  reaching  the  KSA  required  for  top  tier  cyber  war  fighting. 

This  paper  looks  at  the  advanced  persistent  threat,  cites  the  exemplar  of  the  People’s 
Republic  of  China  as  the  most  obvious  adversary,  identifies  basic  shortcomings  with  the  status 
quo  approach,  and  recommends  non-traditional  approaches  to  create  a  JSOC-like  Special  Forces 
class  of  advanced  analyst,  drawn  from  the  top  one  percent  of  cyber  operators.  It  includes 
recommendations  for  re-focusing  the  bulk  of  the  cyber  workforce  onto  passive  defensive  duties, 
while  reserving  the  active  attack  and  the  most  difficult  analytic  work  for  an  elite  Cyber  Corps. 
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Introduction 


“Militaries  often  take  time  to  adapt.  Think  world  war  one  and  generals  using  Waterloo  tactics.  ” 

John  Arquilla,  2012 

The  U.S.  military  must  be  prepared  to  fight,  dominate,  and  win  the  next  generation  battles 
it  will  wage  by,  in,  and  through,  the  domain  of  cyberspace.  Thus,  it  is  imperative  that  its  mission 
focus  is  on  the  threat  sectors,  complexity  levels,  and  work  roles  that  are  both  reasonably  and 
realistically  achievable  within  the  constraints  of  the  work  force.  Understanding  the  knowledge, 
skills,  abilities  (KSA)  and  tradecraft  of  its  adversaries,  and  the  strengths  and  weaknesses  of  its 
own  forces,  is  key  to  recruiting,  training,  and  fielding  a  work  force  suited  for  the  challenges  at 
hand.  This  paper  looks  at  discrete  issues  affecting  the  U.S.  military  mission  in  operational  cyber 
warfare,  specifically  considering  the  most  capable  adversary  class,  herein  described  as  the 
advanced  persistent  threat  (APT).  It  considers  the  capabilities  of  the  U.S.  military  forces  aligned 
against  them,  identifies  any  capability  disparity  that  exists  between  them,  and  recommends 
specific  courses  of  action  that  may  close  the  gap  or  alter  the  paradigm. 

This  paper  argues  that  the  KSA  of  the  most  capable  state-sponsored  APT  cyber  actors 
threatening  America  significantly  outclass  the  U.S.  military  workforce  postured  to  fight  against 
them.  Further,  it  suggests  current  cyber  force  modernization  plans  will  yield  forces  ready  to 
combat  the  bulk  of  the  threats,  but  will  fall  short  in  creating  master- level  experts  able  to  defeat 
the  APT.  Overcoming  this  disparity  requires  a  non-traditional  approach  to  career  advancement 
and  development  of  the  top  one  percent  (TOP)  of  U.S.  military  cyber  professionals  into  true 
“world  class”  operators. 
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Discussing  Cyberspace 


For  the  average  global  citizen,  cyberspace  and  the  Internet  are  nebulous  terms  for  which 
they  have  little  understanding  or  concern.  Users  simply  expect  to  get  what  they  want,  when  they 
want  it,  and  how  they  want  it;  further,  they  expect  100%  availability  of  all  data  types,  in  great 
volumes,  at  high  speed,  with  absolute  security.  To  provide  such  service,  global  IT  providers 
juggle  myriad  challenges  crossing  the  physical,  logical,  and  virtual  boundaries,  to  contend  with 
the  paradigm  of  volume ,  variety ,  velocity ,  and  veracity ,  or  Y4.  IT  provider  International  Business 
Machines  (IBM)  depicts  this  domain  in  a  quad  chart  called  The  Big  Data  &  Analytics  Hub,1 
which  captures  the  essence  of  the  problem:  volume  (scale  of  data)  is  near  incomprehensible; 
velocity  (speed  of  data)  must  be  blindingly  fast;  variety  (forms  of  data)  is  infinitely  diverse;  and 
veracity  (integrity  of  data)  is  essential. 

Almost  every  sector  of  contemporary  society  relies  to  some  extent  on  the  collective 
services  of  the  Internet  and  its  assured  availability.  The  V4  paradigm  represents  different  things 
to  different  people:  for  providers,  it  is  a  complex  technical  challenge;  for  businesses,  it  is  an 
incredible  income  opportunity;  for  consumers  it  is  a  means  for  getting  services;  for  security 
officers,  it  is  a  source  of  great  risk;  and,  for  hackers,  it  is  the  super-highway  to  a  target-rich 
environment.  For  the  U.S.  Government  (USG),  cyberspace  is  an  important  means  by  which  the 
nation  simultaneously  conducts  business,  shares  information,  provides  services,  builds  wealth, 
and  projects  soft  power.  The  Internet  is  also  a  medium  through  which  adversaries  can  virtually 
invade  the  nation  to  actually  steal  valuable  intellectual  property,  uncover  sensitive  proprietary 
information,  deface  public  web  sites,  disrupt  commercial  services,  and  wreak  havoc  among  USG, 
commercial  and  private  services.  As  the  nation  expands  interconnected  services,  reliance  on  the 
Internet  rises  accordingly,  as  does  risk  and  danger  of  compromise.  Although  the  majority  uses  it 
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for  good,  a  minority  uses  it  for  bad,  and  defending  the  former  against  the  latter  is  important  to 
maintaining  good  social  order  worldwide.  Ultimately,  for  all  its  benefits,  the  Internet  presents  an 
“Achilles’  Heel”  in  the  defense  of  the  nation’s  Critical  Infrastructure  and  Key  Resources  (CIKR). 

Characterizing  the  Cyber  Threat 

Every  second  of  each  day,  legions  of  hackers  great  and  small,  foreign  and  domestic, 
independent  and  state-sponsored,  probe  the  Internet’s  diverse  networks,  systems,  websites, 
databases,  and  accounts.  From  spear-phishing  emails  and  key  loggers  to  IP  spoofing  and  SQL 
injection,  hackers  seek  inroads,  hoping  that  system  weaknesses  and  poor  user  discipline  will  give 
way  to  their  malicious  software.  Writing  in  Business  Insider ,  Stuart  Coulson  -  Director  of 
Hosting  at  UKFast,  describes  seven  basic  computer  hacker  levels.2 

1.  Script  Kiddies:  bored  kids  looking  for  a  thrill,  laying  down  scripts  written  by  others 
and  manipulating  simple  operating  system  weaknesses 

2.  Hacking  Group:  loose  affiliation  of  script  kiddies  collaborating  to  attack  companies 
and  media  operations  which  they  tend  to  dislike 

3.  Hacktivist:  like-minded  hackers  motivated  by  political,  social,  or  religious  drive, 
wreaking  havoc  on  targeted  governments,  agencies,  and  corporations 

4.  Black  Hat  Professionals:  experts  in  network  security,  software  coding,  and 
decryption,  throwing  their  talent  at  cracking  systems  advertised  as  secure 

5.  Organized  Criminal  Gangs:  online  theft,  extortion,  and  globalized  command  and 
control  of  illegal  acts,  infusing  organized  crime  with  new-found  wealth 

6.  Nation  States:  the  top  of  the  heap  from  the  perspective  of  technical  capability, 
operational  prowess,  access  and  funding,  and  potential  risk  level 
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7.  The  Automated  Tool:  customized  software  tool  operating  independently,  often  self- 

reproducing  and  self-propagating  once  launched 
Broad  ranges  of  perpetrators  exist,  visualized  as  a  hierarchical  pyramid  with  the  highest 
percentage  of  lowest  skilled  forming  the  base,  and  the  lowest  percentage  of  highest  skilled 
forming  the  peak.  All  seven  hacking  categories  represent  some  threat  level  to  the  nation: 

•  Low  =  Levels  1-3  (Script  Kiddie,  Hacking  Group,  Hacktivist) 

•  Medium  =  Levels  4-5  (Black  Hat  Professionals,  Organized  Criminal  Gangs) 

•  High  =  Levels  6-7  (Nation  States,  Automated  Tool) 

Major  Global  Actors 

Network  security  writing  is  prolific,  with  new  reports  regularly  detailing  significant 
incidents  or  modified  tactics.  Authoritative  network  security  and  intrusion  detection  companies 
such  as  Mandiant,  RSA,  Trend  Micro,  Project  2049,  and  Symantec,  figure  among  the  most  vocal 
and  authoritative  sources  and  their  reports  help  us  understand  the  threats  and  risks  posed  by  the 
most  advanced  cyber  actors.  The  collective  body  of  knowledge  identifies  the  People’s  Republic 
of  China  (PRC)  and  the  Russian  Federation  at  the  pinnacle  of  the  state-sponsored  threat  pyramid, 
with  China  blamed  for  over  95%  of  the  world’s  cyber  spying  campaigns,  followed  by  Romania, 
Russia,  and  Bulgaria.3  Although  other  nations  also  possess  advanced  capabilities,  engagement 
levels  are  more  benign  in  terms  of  expert  personnel,  aggressive  action,  and  their  posture  toward 
the  U.S.  In  Russia,  the  most  active  players  appear  to  be  sophisticated,  prolific,  shadowy,  and 
criminal,  more  financially  motivated  than  ideological  or  nationalistic.4  Public  insight  to  the 
Russian  nation-state  is  rather  sparse;  still  its  cyberspace  engagement  during  its  August  2008  rout 
of  Georgian  military  forces  in  South  Ossetia  shows  it  ready  and  able  to  bring  cyber  skills  to  bear 
with  strong  effect.5  Other  reports  attribute  the  hacking  of  U.S.  and  South  Korean  sites  to  the 
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DPRK,  with  other  analyses  pointing  to  Iran  and  Syria  as  emerging  actors.  Reports  cite  Iran  as  the 
most  likely  instigator  of  destructive  attacks  against  Saudi-ARAMCO  systems  in  which  the 
Shamoon  virus  destroyed  information  stored  on  tens  of  thousands  of  disk  drives,6  and  point  to  its 
likely  responsibility  for  distributed  denial  of  service  (DDoS)  attacks  levied  on  US  Banking 
systems  in  2012,  as  part  of  Operation  Ababil.7 
Advanced  Persistent  Threats 

Although  all  threat  levels  present  some  risk  to  the  U.S.,  this  paper  focuses  on  APT  actors 
representing  the  most  active,  prolific,  advanced,  and  serious  threats  to  the  nation.  Ostensibly,  an 
APT  is  a  nation-state  actor,  underpinned  by  the  finances  and  resources  of  a  sovereign  country, 
usually  aided  by  diverse  subject  matter  expert  (SME)  talent  drawn  from  the  best  minds  of 
industry,  academia,  and  military,  in  some  cases  augmented  by  high-order  Black  Hat  experts  on  a 
“for  hire”  basis.  APTs  are  able  to  apply  large-scale  resources  against  complex  problems, 
reserving  the  toughest  tasks  for  their  most  masterful  hackers. 

Among  open  public  sources,  the  most  direct  correlation  with  a  high-order  APT  goes  to 
the  PRC,  where  online  theft  of  U.S.  and  Western  intellectual  property  and  military  technology  is 
massive  and  continuing.  As  USG  officials  denounce  the  PRC  for  its  aggressive  cyber  incursions 
into  U.S.  networks,  companies  such  as  Mandiant  are  increasingly  vocal  and  detailed  about  their 
own  cyber  sleuthing  of  nefarious  online  activity.  Mandiant’s  groundbreaking  M-Trend  2010® 
report  first  highlighted  this  threat  and  suggested  the  PRC  as  the  most  likely  source.8  Mandiant 
followed  up  in  2013  by  specifically  naming  the  PRC  General  Staff  Department  (GSD)  People’s 
Liberation  Army  (PLA)  Unit  61398  as  the  source  of  APT-1  (one  of  many  APT  worldwide), 
whose  operational  focus  targets  U.S.  military,  technology,  industry,  and  finance  sectors.9  Other 
reporting  from  industry  leaders  such  as  Trend  Micro,  Symantec,  RSA,  and  Project  2049,  provide 
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even  more  insight  into  the  PRC’s  vast  computer  network  operations  (CNO)  enterprise, 
comprising  entities  from  the  PRC’s  most  technologically  advanced  centers  of  academia, 
industry,  government,  military,  and  “for  hire”  private  Black  Hats.  It  is  clear  that  the  PRC  has 
assembled  an  epic  team,  tapping  into  its  impressive  collective  national  intellect. 

The  following  reported  findings  highlight  this  diverse  and  capable  force,  and  provide 
insight  to  the  complex,  deep,  and  high-end  nature  of  the  PRC  CNO  enterprise. 

•  Mandiant’s  editor  reports  that  APT-1  has  downloaded  “hundreds  of  terabytes  of 
data  from  at  least  141  organizations”  and  shown  its  ability  to  conduct 
simultaneous,  deep  penetration  on  many  targets.10 

•  Mandiant’s  APT-1  report  further  estimates  that  “Unit  61398  is  staffed  by 
hundreds,  and  perhaps  thousands  of  people,”  and  that  it  “requires  its  personnel  to 
be  trained  in  computer  security  and  computer  network  operations  and  also 
requires  its  personnel  to  be  proficient  in  the  English  language.”11 

•  Symantec’s  Stephen  Doherty  reports  that  a  PRC  APT  called  “Hidden  Lynx” 
operated  since  2009  and  is  likely  aided  by  PRC  “for  hire”  Black  Hats.  The  group 
“is  an  advanced  persistent  threat  that  has  been  in  operation  for  at  least  four  years 
and  is  breaking  into  some  of  the  best-protected  organizations  in  the  world.”12 

•  Trend  Micro’s  Forward-Looking  Threat  Research  Team  details  methodology  of 
an  APT  campaign  targeting  India  and  Japan,  masked  by  use  of  virtual  private 
servers,  which  it  later  attributes  to  hackers  in  the  Chinese  underground.13 

•  Project  2049’s  Mark  Stokes  describes  the  PRC  GSD’s  Beijing  North  Computing 
Center  as  “most  capable  of  cyber  reconnaissance  architecture  design,  technology 
development,  systems  engineering,  and  acquisition.”  Further,  “At  least  10 
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subordinate  divisions  appear  responsible  for  design  and  development  of  computer 
network  defense,  attack,  and  exploitation  systems.”14 

Civilian  and  Military  Cyber  Initiatives 

U.S.  Army  GEN  Keith  Alexander  holds  the  reins  as  Commander,  USCYBERCOM 
(USCC),  and  Director,  National  Security  Agency/Central  Security  Service  (NSA/CSS),  a  dual¬ 
hat  role  giving  him  control  of  a  vast  network  of  powerful  intelligence  systems  and  skilled 
professionals  comprising  federal  employees,  military  service  members,  and  contract  civilians.15 
At  a  3  June  2010  Cyberspace  Policy  Debate  sponsored  by  the  Center  for  Strategic  and 
International  Studies,  GEN  Alexander  described  the  USCC’s  role: 

We  at  Cyber  Command  are  responsible  day  to  day  for  directing  the  operations  and 
defense  of  the  Department  of  Defense  information  networks  and  for  the  systemic 
and  adaptive  planning,  integration  and  synchronization  of  cyber-activities,  and 
when  directed  under  the  authority  of  the  president,  the  secretary  of  defense  and 
the  commander  of  U.S.  STRATCOM,  for  conducting  full-spectrum  military 
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cyberspace  operation  to  ensure  U.S.  and  allied  freedom  of  action  in  cyberspace. 

In  the  three  years  since,  thousands  of  enlisted  and  officer  personnel  joined  the  ranks  of 
the  USCC  and  SCEs  as  newly  minted  “cyber  warriors.”  Simultaneously,  the  USG  undertook  a 
rapid  hiring  and  training  program  underpinned  by  President  Obama’s  May  2009  plan  The 
Comprehensive  National  Cybersecurity  Initiative,  a  fundament  of  which  is  The  National 
Initiative  for  Cybersecurity  Education  (NICE)  Strategic  Plan 18  championed  by  the  National 
Institute  of  Standards  and  Technology  (NIST).  Coincidently,  the  rising  specter  of  network  attack, 
hacking,  and  malicious  behavior,  has  motivated  commercial  corporations  to  pursue  university 


7 


students  graduating  with  degrees  in  computer  science,  information  technology  (IT),  and  cyber 
security.  Government,  military,  and  commercial  employers  are  therefore  all  vying  for  the  same 
critical  skills  among  a  very  shallow  talent  pool.19 

Even  in  federal  circles,  where  the  desired  number  of  cybersecurity  professionals 
skyrocketed  to  4,900  civilians,  agencies  are  falling  short  in  their  ability  to  attract  such  personnel, 
as  many  perceive  the  monetary  and  work-life  benefits  as  substantively  better  in  the  commercial 
sector.20  Further  stymieing  the  ability  to  attract  top  talent  is  the  perception  of  restrictive  work 
conditions,  demand  for  security  clearances,  lethargic  hiring  processes,  marginal  empowerment, 
and  in  recent  months  growing  public  distrust  of  government.  As  the  U.S.  military  has  ramped  up 
its  own  cyber  programs,  foundational  curricula  such  as  the  Joint  Cyber  Analysis  Course  )JCAC) 
have  arisen  as  common  building  blocks,  augmented  by  follow-on  training  in  more  advanced 
studies.  Across  the  board,  each  service  is  aggressively  building  its  personnel,  systems,  tools,  and 
developing  tactics,  techniques,  procedures,  policies,  rules  of  engagement,  doctrine,  and 
operational  authorities.21 
Identifying  the  Problem 

As  several  thousand  military  personnel  join  the  cyber  force,  a  vexing  question  arises: 
“What  advanced  cyber  fighting  tasks  will  these  troops  actually  be  able  to  perform?”  If  expected 
duties  comprise  network  maintenance,  account  management,  operating  system  patching, 
antivirus  updating,  and  intrusion  detection  monitoring,  then  they  are  simply  describing 
traditional  IT  support  roles.  Conversely,  if  expected  duties  include  extremely  complex  network 
operations  using  cutting-edge  tradecraft  against  the  most  concerted  APTs,  then  the  question 
becomes:  “What  should  they  be  doing,  and  what  can  they  realistically  accomplish,  given  the 
adversary’s  very  high  KSA  and  the  constraints  commonly  imposed  by  military  recruiting, 


8 


training,  retention,  and  assignment  practices?”  Is  the  traditional  military  manning  model  suited  to 
the  unique  demands  at  hand?  Many  think  that  it  is  not,  and  fear  that  inexperienced  cyber  troops 
will  undertake  missions  they  are  not  realistically  capable  of  performing  at  the  advanced  expertise 
levels  demanded.  This  concern  is  increasingly  relevant  in  light  of  the  move  to  reduce  contractors 
as  part  of  deep  cuts  in  defense  spending,  and  a  renewed  call  for  limiting  intelligence  duties  to 
USG  and  military  personnel  only,  in  the  wake  of  the  Edward  Snowden  affair.  Yet  there  is  sound 
reasoning  for  hiring  contractors  and  civilians,  as  they  routinely  have  the  most  extensive 
education,  advanced  formal  training,  diverse  industry  certification,  demonstrated  skill  and 
tradecraft  mastery,  and  long-term  continuity  on  the  job.22 

Importantly,  what  contractor  and  civilian  operators  have  in  common  is  that  their 
operational  roles  are  often  their  sole  responsibility,  even  as  they  rise  through  higher  pay  grades 
and  responsibility  levels.  They  have  the  ability  to  focus  uncontested,  for  years  on  end,  on 
deepening  and  maturing  their  KSA,  and  gaining  the  mastery  level  that  only  comes  through 
sustained  development  over  extended  time.  The  military  staffing  and  assignment  model  in 
contrast,  limits  the  period  allotted  for  pure  technical  focus  to  a  few  years,  after  which 
organizational  leadership  and  management  (OL&M)  roles  are  certain  to  have  priority  for 
building  “the  leaders  of  tomorrow.”  The  singular  path  of  OL&M  development  sets  the  course  for 
all  personnel  to  (theoretically)  rise  to  the  most  senior  enlisted  or  officer  ranks  (even  though  most 
will  not),  as  opposed  to  defining  separate  managerial  and  technical  tracks  for  professional 
development  and  career  advancement.  In  practice  then,  there  is  a  narrow  time  window  of 
opportunity  to  harvest  competent  technical  performance  prior  to  OL&M  duties  taking 
preeminence.  In  many  cases,  the  sweet  spot  is  the  enlisted  grades  E4-E5,  where  troops  have 
completed  basic-  through  intermediate-training,  gained  work  experience,  learned  tradecraft 
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skills,  remain  highly  motivated,  and  are  unencumbered  by  high  volumes  of  OL&M  tasks  and 
collateral  duties.  Although  most  services  consider  an  E6  to  be  a  senior  technical  expert,  in  reality 
many  non-commissioned  officers,  spend  only  about  half  their  time  working  in  their  technical 
role,  and  the  other  half  expanding  their  leadership  competencies.  Unfortunately,  it  is  at  this 
precise  point  where  analysts  with  true  world  class  potential  are  finally  coming  into  their  own  and 
exhibiting  the  depth  and  breadth  of  KSA  to  defeat  the  APT. 

The  U.S.  military’s  foundational,  generations-long  force  development  doctrine  is 
successful  in  training  leaders  for  tomorrow.  However,  it  is  questionable  whether  this  approach 
will  suffice  in  raising  up  legions  of  highly  skilled  cyber  masters  -  experts  whose  training  and 
KSA  maturation  requires  sustained  full-time  focus  over  a  many  years  long  growth  cycle.  Given 
the  extreme  KSA  of  the  most  advanced  cyber  adversaries  (the  enemy’s  10%),  what  counter  force 
is  the  U.S.  military  realistically  able  to  mount?  A  critical  mind  must  ask,  “Is  it  probable,  or  even 
possible,  that  a  20-year-old  JCAC  graduate  is  going  to  battle  it  out  head-to-head  and  win  against 
so  capable  an  adversary?”  A  reality  check  suggests  such  a  vision  is  not  realistic,  and  the  current 
approach  will  put  its  finest  yet  unequally  prepared  talent,  up  against  the  most  hardened  cyber 
force  the  adversary  has  to  offer.  If  there  is  danger  this  will  be  the  case,  then  the  U.S.  military 
must  correct  course  and  adopt  a  new  modus  operandi.  If  it  is  unwilling  to  change,  APT  actors 
will  outclass  U.S.  military  forces,  and  reliance  on  contractor  and  civilian  expertise  will  remain. 
How  Should  We  Proceed? 

In  the  commercial  world,  the  majority  of  computer  security  professionals  are  in  the 
business  of  providing  services  and  defending  them:  ensuring  network  integrity,  operating 
intrusion  detection  systems,  installing  vulnerability  patches,  and  keeping  core  services  at  a  high 
state  of  availability.  A  much  smaller  subset  performs  network  oversight,  reconnaissance, 
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sleuthing,  and  penetration  testing  and  hunting  for  hidden  intruders  in  their  networks.  An  even 
tinier  percentage,  comprising  the  highest  educated,  trained  and  proficient  SMEs  have  the 
prowess  and  accompanying  authority  to  conduct  advanced,  and  arguably  dangerous  actions,  such 
as  hacking  back  into  an  intruder’s  host  machine  to  disable  their  system  through  active  defensive 
means.  This  industry  model  should  also  apply  to  the  U.S.  military,  whereby  the  bulk  of  the  cyber 
workforce  conducts  passive  defensive  actions  at  the  basic,  intermediate,  and  advanced  levels,  and 
a  small  body  of  true  SMEs  conducts  active  offensive  actions  against  the  most  advanced  APT.  As 
Brett  T.  Williams  writes  in  his  article  “Ten  Propositions  Regarding  Cyberspace  Operations”: 
Cyber  discussions  in  DOD  tend  to  narrowly  focus  on  computer  network  attack 
and  computer  network  exploitation.  Not  enough  attention  is  given  to  providing, 
operating,  and  defending  the  networks  that  define  cyberspace.  Attack  and 
exploitation  get  the  most  attention  because  they  employ  some  of  the  most 
sensitive  capabilities  and  require  significant  legal  and  operational  considerations. 
However,  it  is  the  ability  to  provide,  operate,  and  defend  cyberspace  that  should 
be  the  JFC’s  top  priority  because  these  activities  enable  all  other  cyberspace 
operations.23 

At  USCC,  the  SCEs,  and  the  USG,  programs  are  on  track  to  field  forces  to  combat  the 
bulk  of  the  global  threat  (the  90%  problem),  yet  it  is  the  top  10%  of  APT  actors  that  constitute 
the  most  insidious  danger.  If  the  emerging  workforce  cannot  contend  with  the  most  pervasive 
APT  threat,  this  plan  will  fail  unless  something  significant  is  changed.  To  mitigate  this 
weakness,  the  U.S.  military  should  consider  a  re-alignment  of  forces,  and  adopt  a  non-traditional 
approach  that  breaks  the  norms  of  tradition.  If  the  U.S.  military  wants  its  troops  to  go  head-to¬ 
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head  against  the  APT,  then  it  must  selectively  recruit,  train,  equip,  develop,  and  advance  cyber 
personnel  in  a  manner  that  creates  and  retains  true  master- level  SMEs. 

TOP  Cyber  Corps 

One  interesting  alternative  to  consider  is  the  operational  model  of  the  Joint  Special 
Operations  Command  (JSOC),  an  organization  comprising  the  elite  of  the  elite  of  unconventional 
warfare  operators.  To  begin,  each  service  draws  raw  talent  through  recruiting  and  the  aid  of 
standardized  testing  such  as  the  Armed  Services  Vocational  Aptitude  Battery  (ASVAB).  Basic 
training  graduates  go  on  to  basic  and  intermediate  schools  for  their  occupational  specialty,  and 
then  based  on  performance  and  conduct,  services  tap  top  graduates  for  advanced  training  in 
highly  specialized  career  fields.  True  standouts  in  their  operational  units  may  volunteer  to  screen 
for  acceptance  into  the  most  rigorous  and  highly  selective  programs  in  their  services  respective 
Special  Operations  Forces  (SOF).  From  these,  by-name  selection  takes  place  to  staff  the  most 
elite  SOF  communities,  such  as  Navy  SEAFs  DevGru  and  Army  DEFTA  Force.  Selected 
members  of  these  elite  SOF  units  then  chop  over  to  operate  in  JSOC.  In  practice  then,  the  bulk  of 
the  armed  forces  handle  most  of  the  conventional  war  fighting,  individual  SOF  units  handle  most 
of  the  unconventional  operations,  and  JSOC  takes  on  the  most  advanced,  dangerous,  and 
complex  operations,  most  often  focused  on  counter-terrorism  missions.  A  key  factor  in  the 
success  of  JSOC  and  other  SOF  units  is  that  personnel  focus  exclusively  on  their  assigned  roles, 
advancing  their  KSA,  and  tackling  the  most  complex  challenges  on  a  long-term,  sustained,  high- 
intensity  basis.  Services  excuse  personnel  from  traditional  OL&M  functions  and  collateral  duties 
so  they  can  focus  on  their  operational  roles.  Successfully  combating  the  cyber  threat  of  the  future 
will  require  a  similar  “mission-first”  focus,  selectively  tasking  personnel  to  combat  the  most 
pervasive  APT.24 
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Non-traditional  Recruiting 

Across  the  global  stage,  some  of  the  most  capable  hackers  are  well  educated  and 
professionally  trained,  yet  others  are  unschooled  in  the  traditional  sense,  mastering  their  trade  in 
the  comfort  of  their  bedrooms  and  the  shadowy  world  of  the  dark  Internet.  These  homegrown 
hackers  long  ago  outgrew  their  peer  script  kiddies,  hackers,  activists,  and  Black  Hats,  mastered 
the  known  tradecraft,  and  developed  new  techniques.  These  hackers  take  great  pride  in  pushing 
the  envelope  of  knowledge  and  advancing  their  art  to  find  vulnerabilities  and  compromise  the 
most  secure  academic,  commercial,  and  government  systems  on  the  planet.  They  are  essentially 
cyber  criminals,  although  many  are  guilty  of  rather  benign  breaches  of  secure  services, 
defacement  of  web  sites,  theft  of  multimedia,  and  generic  cyber  hooliganism.  The  FBI  has 
imprisoned  or  sought  prosecution  of  many  such  hackers,  while  others  remain  just  a  few  steps 
ahead  of  the  law.  These  unscrupulous  hackers  are  definitively  not  the  kind  of  people  the  USG  or 
military  would  want  in  their  work  force.  Alternatively,  should  they  be?  Is  the  U.S.  missing  a  non- 
traditional  source  of  advanced  talent  that  already  lives  in  its  own  back  yard?  If  the  Chinese  and 
Russians  hire  domestic  hackers  to  support  their  own  nationalistic  missions,  should  the  U.S. 
consider  doing  the  same  in  some  cases?25  What  if  the  U.S.  military  selected  some  U.S.  hackers 
and  afforded  them  an  opportunity  for  a  new  life,  accompanied  by  rewarding  jobs,  challenging 
work,  and  an  ego-boosting  chance  to  put  their  KSA  to  the  test  against  the  most  advanced  hackers 
on  the  planet?  How  many  bright  minds  might  take  the  bait,  change  their  behavior,  and  put  their 
talents  to  work  for  the  U.S.  military?  As  reported  in  The  Daily  Beast,  the  National  Security 
Agency  has  already  recruited  at  hacker  conferences,  telling  curious  onlookers,  “If  you  have  a 
few,  shall  we  say,  indiscretions  in  your  past,  don’t  be  alarmed,”  adding  in,  “By  the  way,  if  you 
think  you  saw  cool  things  at  DEFCON®  20,  just  wait  until  you  cross  the  threshold  to  NSA.” 
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While  this  initially  sounds  far-fetched,  it  may  represent  a  non-traditional  recruiting  ground  worth 
considering  on  a  case-by-case  basis.27 

Finding  Hidden  Talent 

Although  contemporary  aptitude  testing  and  career  assignment  schemes  are  applicable  for 
the  bulk  of  the  cyber  workforce,  there  remains  the  possibility  of  unique  and  undiscovered  talent 
within  the  ranks.  This  talent  pool  may  not  even  know  they  have  “it”  (whatever  “it”  might  be), 
and  may  have  never  explored  their  skills  beyond  Firefox®,  Word®,  and  Facebook®.  Perhaps 
they  grew  up  in  a  home  with  little  to  no  exposure  to  computers  and  networks,  yet  inside  them 
lives  an  undeveloped,  inherent  ability  to  comprehend  complex  algorithms,  intricate  codes, 
nonsensical  computer  language,  and  social  personas.  Like  the  untrained  child  virtuoso  who  arises 
from  obscurity,  somewhere  in  the  armed  services  live  these  “bom  hackers.”  Finding  such  people, 
and  helping  them  develop  their  raw  talents,  presents  both  a  difficult  challenge  and  an  interesting 
opportunity.  Perhaps  a  method  for  such  discovery  resides  in  non-traditional  testing,  tailored  to 
identify  natural  aptitudes,  analytic  thought,  cognitive  reasoning,  and  ingrained  curiosity.  Such  a 
workable  model  might  be  akin  to  the  approach  of  the  Defense  Language  Aptitude  Battery 
(DLAB),  devised  and  administered  by  the  Defense  Language  Institute  (DLI).  Here  the  main 
point  is  to  test  for  advanced  aptitude,  as  opposed  to  learned  knowledge ;  the  latter  we  can  teach 
the  former  we  cannot.28  Personnel  entering  the  services,  and  those  already  employed,  can  be 
screened  through  specialized  testing  to  see  if  they  possess  the  aptitude  and  attitude  required  for 
advanced  cyber  operations,  and  those  found  to  match  the  profile  can  then  be  designated  for 
special  training  and  duty  assignment,  regardless  of  their  original/current  military  occupational 
specialty  code. 
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Retaining  TOP  Cyber  Talent 

In  civilian  and  military  arenas,  the  most  perplexing  staffing  dilemmas  often  revolve 
around  the  question,  “How  do  we  retain  the  most  advanced,  experienced,  high-end  talent?”  In 
considering  a  return  on  investment  calculus  within  the  military,  what  actions  would  ensure  the 
continued  service  of  those  high-end  SMEs  who  have  mastered  complex  skills,  have  earned 
advanced  certifications,  and  for  whom  private  industry  is  aggressively  recruiting?  Civil  service 
affords  pay  options  such  as  annual  performance  bonuses  and  work-role  premium  pay  scales,  a 
sense  of  job  security,  reasonable  work  conditions,  flexible  work  schedules,  and  family-life 
stability.  Contemporary  private  security  industry  affords  all  this,  adding  higher  pay,  improved 
flexibility,  better  work  conditions,  excellent  benefits,  robust  education  and  training,  conference 
and  symposia  funding,  access  to  state-of-the-art  hardware/software,  and  personal  empowerment. 
Present-day  military  options  are  much  more  restricted  however,  and  few  financial  incentives  tie 
directly  to  personal  performance,  mastery  of  complex  skills,  or  attainment  of  advanced 
certifications  and  degrees.  Appealing  to  patriotism  and  promises  of  military  retirement  are  low- 
percentage  options  for  retaining  TOP  Cyber  personnel.  Although  “money  isn’t  everything,”  it  is 
certainly  a  key  factor;  but  so  too  is  significantly  rewarding,  intellectually  stimulating, 
technologically  challenging,  and  ego  satisfying  work.  Service  pressures  to  maximize  OL&M 
skills  while  de-emphasizing  technical  performance  (as  a  member  advances)  serve  as  de¬ 
motivators  for  many,  causing  some  high-end  SMEs  to  opt  for  civilian  employment,  not  so  much 
for  the  allure  of  money,  but  for  the  perpetual  technical  challenge  and  the  ability  to  continue  to 
advance  while  remaining  technical.  Although  politically  difficult,  it  remains  feasible  that  the 
military  can  create  new  programs  that  emphasize  career-long  technical  focus  and  grade 
advancement  based  on  mastery  of  complex  skills,  accompanied  by  rewards  such  as  selective 
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reenlistment  bonuses,  special  performance  pay,  advanced  education  opportunities,  professional 
certification,  and  selected  duty  assignments.  TOP  Cyber  operators  with  dozens  of  companies 
offering  them  enormous  signing  bonuses  and  job  deals  may  choose  to  remain  in  military  service 
if  they  can  retain  their  technical  focus  throughout  their  careers.  Development  of  the  equivalent  of 
a  Cyber  Warrant  Officer  Corps  may  represent  one  potential  means  for  achieving  the  desired 
outcome.  Another  may  be  establishing  a  separate  and  unique  technical  track  for  cyber 
professionals  comprising  both  enlisted  and  officer  ranks.  If  America’s  adversaries  can  selectively 
dedicate  their  nation’s  best  SMEs  to  advanced  cyber  work,  should  not  the  U.S.  be  able  to  do  the 
same?  Is  not  the  prize  worth  breaking  the  mold  of  the  status  quo?  Is  the  risk  not  worth  the  price 
to  changing  the  modus  operandi?  Reality  dictates  that  the  answer  is  yes. 

Recommendations 

This  paper  recommends  ten  specific  courses  of  action  for  Cyber  Command  consideration 
in  recruiting,  staffing,  training,  and  retaining  its  growing  cyber  forces. 

1.  Continue  the  current  recruiting  and  training  programs  in  the  USCC,  the  SCEs,  and 
the  USG,  with  the  goal  of  drastically  raising  the  overall  cyber  competencies  of  the 
baseline  workforce. 

2.  Invest  in  fundamental  training  courses  such  as  JCAC  and  continue  to  deliver 
advanced  follow-on  training  on  a  continual,  career-long  basis,  raising  emphasis  on 
attaining  and  maintaining  advanced  technical  skills. 

3.  Re-focus  emphasis  for  the  mass  body  of  cyber  professionals  onto  cyber 
intelligence,  surveillance,  and  reconnaissance  (ISR)  missions  focused  on  passive 
defense  (administer,  secure,  maintain,  patch,  update,  scan,  report,  and  maintain 
oversight  on  the  DOD  Information  Network  -  DODIN). 
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4.  Extend  search  and  discovery  (AKA  “hunt”)  missions  to  highly  competent  cyber 
personnel  that  master  advanced  courses  and  operational  tasks,  and  gain  the 
KSA/experience  to  distinguish,  assess,  and  analyze  APT  actor  actions. 

5.  De-emphasize  the  ideology  of  ubiquitous  active  cyber  warfare  and  active 
defensive  measures,  setting  aside  this  advanced,  complex,  and  dangerous  activity 
for  those  selected  for  TOP  Cyber  missions. 

6.  Create,  maintain,  and  perpetually  fund,  advanced  industry- standard  certification 
courses  in  all  aspects  of  network  security,  ethical  hacking,  intrusion  detection,  and 
like  coursework,  ensuring  cyber  personnel  remain  up  to  date  with  the  rapidly 
changing  state-of-the-art. 

7.  Provide  greatly  expanded  university  education  for  enlisted  and  officer  alike,  in 
computer  science,  network  security,  and  cyber  defense,  to  include  teaching 
courses  through  the  local  education  centers  on  military  bases  worldwide. 

8.  Extend  opportunities  for  advanced  studies  in  related  sciences  to  both  enlisted 
personnel  and  officers,  to  include  participation  in  programs  at  service-run  schools 
(such  as  NPS  and  AFIT),  and  fellowships  at  contemporary  civilian  universities. 

9.  Create  a  technical  track  programs  that  allows  military  cyber  professionals  to 
continue  to  advance  in  pay  grade  while  remaining  focused  on  technical 
achievement  in  a  perpetual  continuum  of  technical  work  and  associated  studies,  as 
opposed  to  becoming  managers  at  senior  enlisted  levels. 

10.  Create  the  equivalent  of  a  JSOC-like  Cyber  Corps,  where  Joint  military  units  will 
conduct  the  most  advanced,  important,  “active”  cyber  war  fighting,  and  the  deep 
analytic  reconnaissance,  analysis,  coding,  and  modeling  needed  to  underpin  it. 


18 


Conclusion 

The  cyber  threat  facing  the  U.S.  presents  a  real  and  present  danger  to  the  safety  and 
security  of  our  nation.  This  is  a  reality  understood  at  the  highest  levels  of  federal  civilian 
leadership,  military  command,  corporate  industry,  and  advanced  academia.  Significant  actions  to 
raise  public  awareness,  to  rise  up  a  new  model  army  of  cyber  warriors,  and  to  prepare  to  fight, 
survive,  and  win  in  the  changing  battlefield  of  cyberspace.  Despite  best  intensions,  there  is 
danger  and  likelihood  that  the  traditional  model  for  military  recruitment,  education,  training,  and 
assignment  will  prove  inadequate  to  the  task  of  raising  up  and  retaining  the  extremely  high 
quality,  master- level  talent  required  to  combat  and  overcome  the  most  advanced  persistent 
threats  in  cyberspace.  Re-focusing  the  bulk  of  the  cyber  workforce  toward  passive  defense, 
system  sustainment,  “hunting”  and  related  ISR-related  disciplines,  accompanied  by 
establishment  of  a  JSOC-like  operation  comprising  the  top  one  percent  of  the  cyber  workforce, 
raises  the  likelihood  of  success  in  the  coming  battles.  The  attainment  of  such  a  team  demands  an 
as-yet  unseen  willingness  to  think  outside  the  norm  and  to  consider  non-traditional  methods  for 
recruiting,  training,  employing,  advancing,  and  retaining  an  advanced  capability  work  force. 
Traditional  thinkers  need  not  apply. 
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